排除ACI OSPF鄰接故障
簡介
本文檔介紹對以應用為中心的基礎設施(ACI)開放最短路徑優先(OSPF)鄰接關係進行故障排除。
拓撲
拓撲
OSPF對等配置要求
OSPF是可以在Cisco ACI和外部路由器之間啟用的協定之一。Cisco ACI支援所有常用選項,例如OSPF區域(包括主幹)、各種末節選項、鄰居身份驗證以及其他類似選項。
L3Out包括路由協定選項、交換機特定配置(節點配置檔案)和介面特定設定(介面配置檔案)。OSPF相關引數主要可在兩個位置進行配置,就像普通路由器一樣。第一個是全虛擬路由和轉發(VRF)或全節點配置,例如可在L3Out自身上配置的區域ID和區域型別。第二個引數是介面級別引數,例如OSPF hello間隔或介面型別(廣播、點對點(P2P))。
以下是在ACI邊界枝葉和外部路由器之間建立OSPF鄰接關係的要求:
- OSPF區域ID和型別必須匹配
- OSPF路由器ID必須是唯一的
- 最大傳輸單元(MTU)必須匹配(預設情況下,交換矩陣將其設定為9000,大多數Cisco IOS®/NXOS將其設定為1500)
- OSPF身份驗證金鑰和型別必須匹配(如果使用)
- OSPF Hello間隔和Dead間隔必須匹配
- OSPF網路型別必須匹配
白皮書中詳細說明了有關用於支援路由協定的ACI L3Out的設計概念和選項。
如果您不熟悉L3Out設定和其他基本要求,請參考白皮書。
OSPF鄰接故障排除-一般檢查清單
無論OSPF鄰接關係以前是否已啟用或從未啟用,最好先驗證基本要求。
步驟 1.對遠端終端介面執行ping操作。這有助於確認您是否具有到遠端的IP可接通性,這是OSPF啟動的主要要求。
iping -V <vrf> <remote_end_IP>
example:
BL-301# iping -V abc1:vrf-1 192.0.2.50
步驟 2.驗證基本配置引數:
- OSPF區域ID和型別必須匹配
- OSPF路由器ID必須是唯一的
- MTU必須匹配(預設情況下,交換矩陣將其設定為9000,並且大多數Cisco IOS/NXOS將其設定為1500)
- OSPF身份驗證金鑰和型別必須匹配(如果使用)
- OSPF Hello間隔和Dead間隔必須匹配
- OSPF網路型別必須匹配
命令輸出顯示推送到枝葉的配置屬性。
BL-301# show ip int bri vrf abc1:vrf-1 IP Interface Status for VRF "abc1:vrf-1"(137) Interface Address Interface Status vlan1 192.0.2.1/24 protocol-up/link-up/admin-up --> l3out SVI lo9 192.168.0.1/32 protocol-up/link-up/admin-up --> Router ID SVI
BL-301# show ip ospf interface vlan 1
Vlan1 is up, line protocol is up
IP address 192.0.2.1/24, Process ID default VRF abc1:vrf-1, area backbone
Enabled by interface configuration
State P2P, Network type P2P, cost 4
Index 84, Transmit delay 1 sec
1 Neighbors, flooding to 1, adjacent with 1
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
Hello timer due in 00:00:03
No authentication
Number of opaque link LSAs: 0, checksum sum 0
BL-301# show int vlan 1 | egrep "MTU"
MTU 9000 bytes, BW 10000000 Kbit, DLY 1 usec
BL-301# show ip ospf vrf abc1:vrf-1 | grep Routing
Routing Process default with ID 192.168.0.1 VRF abc1:vrf-1 --> Router ID
記下所有突出顯示的詳細資訊,並確認對應的遠端終端引數同步。
OSPF鄰接故障排除-故障
[+]From the border Leaf we can identify the state of the neighbor state
BL-301# show ip ospf neighbors vrf abc1:vrf-1
<<EMPTY>>
[+] You can check the associated faults to the VRF.
BL-301# moquery -c faultInst -x 'query-target-filter=wcard(faultInst.dn,"abc1:vrf-1")' | egrep "code|rule|dn|descr|lastTransition"
<<EMPTY>>
某些場景中不存在活動故障,但枝葉上可能存在一條故障記錄F1385(protocol-ospf-adjacency-down),它指向該鄰居關係上次運行的時間或從未處於完全狀態。
可使用moquery -c faultRecord -f 'fault.Inst.code=="F1385"' -x 'query-target-filter=wcard(faultRecord.dn,"abc1:vrf-1")' | grep dn命令來辨識此問題。
使用moquery -c faultRecord -f 'fault.Inst.code=="F1385"' -x 'query-target-filter=wcard(faultRecord.dn,"abc1:vrf-1")' -x 'query-target-filter=wcard(faultRecord.created,"2024-01-01")' | egrep "dn" | wc -l命令檢查任何特定日期的故障記錄數量。
您必須確定OSPF介面以及本地和遠端配置的IP。
[+] Identify the IP applied on the external device from the ARP associated to the interface
BL-301# moquery -c arpAdjEp -x 'query-target-filter=wcard(arpAdjEp.ifId,"vlan1")' | grep "ip "
ip : 192.0.2.50在節點上捕獲控制平面流量
在節點上捕獲控制平面流量對於邊界枝葉的預期源交換機和目標交換機虛擬介面(SVI),可以使用tcpdump實用程式進行檢查。
註:為此,使用允許您檢視所有CPU帶內控制平面網路流量的介面kpm_inb。
[+] Capture a single OSPF hello packet using TCPDUMP coming for local BL OSPF IP 192.0.2.1
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb
tcpdump: listening on kpm_inb, link-type EN10MB (Ethernet), capture size 262144 bytes
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP 192.0.2.50
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb
tcpdump: listening on kpm_inb, link-type EN10MB (Ethernet), capture size 262144 bytes
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1 Wireshark驗證
您可以捕獲OSPF和特定於HOST的流量,以便在Wireshark上對其進行分析。
BL-301# tcpdump -i kpm_inb proto ospf -vv -e -w - | tee /data/techsupport/Node-XXX_OSPF.pcap | tcpdump -r - host any
BL-301# tcpdump -xxxvi kpm_inb 'proto ospf and (host <<X.X.X.X>> or host <<Y.Y.Y.Y>>)' -w /data/techsupport/Node-XXX_OSPF_HOST.pcap
BL-301# tcpdump -i kpm_inb proto ospf -vv -e -w - | tee /data/techsupport/Node-XXX_OSPF_HOST.pcap | tcpdump -r - host X.X.X.X
對於pcap捕獲,您可以透過搜尋並使用Analyze > Apply as a Column來使用Wireshark過濾器。
ospf.area_id =用於標識區域ID
ospf.auth.type =以檢查配置的身份驗證型別是否匹配
ospf.hello.hello_interval =以檢查不同的MTU
ospf.hello.router_dead_interval =以檢查不同的dead間隔配置
ospf.srcrouter = RouterID
疑難排解案例
疑難排解案例排除OSPF鄰接故障:區域ID不匹配
排除OSPF鄰接故障:區域ID不匹配從區域ID為0.0.0.42的APIC配置中,導航至Fabric > Tenants > Networking > L3Outs > <<L3outName>> > Policy > Main。
配置的OSPF區域ID錯誤0.0.0.42
從邊界枝葉:
[+] Check OSPF interface details to confirm current area
BL-301# show ip ospf interface vlan 1 | grep area
IP address 192.0.2.1/24, Process ID default VRF abc1:vrf-1, area 0.0.0.42
Or
BL-301# moquery -c ospfIf -x 'query-target-filter=wcard(ospfIf.id,"vlan1")' | grep area
area : 0.0.0.42
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Area 0.0.0.42, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1從外部裝置:
NX-OS# show logging log | tail -n 100 | grep ospf-bootcamp
2023 Dec 28 15:17:09 NX-OS %OSPF-4-AREA_ERR: ospf-bootcamp [22263] (301-l3-abc1) Packet from 192.0.2.1 on Ethernet1/2 received for wrong area 0.0.0.42
NX-OS# show ip ospf interface Ethernet1/2 | grep area
Process ID bootcamp VRF 301-l3-abc1, area 0.0.0.0
解決方案:將OSPF區域與BL上的0.0.0.0或主幹或外部裝置上的0.0.0.42匹配。
排除OSPF鄰接故障:區域型別不匹配
排除OSPF鄰接故障:區域型別不匹配在ACI GUI中,使用區域型別(NSSA或末節)進行配置,導航到Fabric > Tenants > Networking > L3Outs > "L3outName" > Policy > Main。
NSSA或末節區域配置。
從邊界枝葉:
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# moquery -c ospfArea -x 'query-target-filter=wcard(ospfArea.dn,"abc1:vrf-1")' | egrep "type"
type : nssa
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Area 0.0.0.42, Authentication Type: none (0)
Options [NSSA]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
or
BL-301# moquery -c ospfArea -x 'query-target-filter=wcard(ospfArea.dn,"abc1:vrf-1")' | egrep "type"
type : stub
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Area 0.0.0.42, Authentication Type: none (0)
Options [none]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Area 0.0.0.42, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
從外部裝置:
[+] Check OSPF interfaces con vrf
NX-OS# show ip int bri vrf 301-l3-abc1
IP Interface Status for VRF "301-l3-abc1"(21)
Interface IP Address Interface Status
Lo1001 110.1.0.1 protocol-up/link-up/admin-up
Eth1/2.1120 192.0.2.50 protocol-up/link-up/admin-up
NX-OS# show ip ospf interface Ethernet1/2 | grep area
Process ID bootcamp VRF 301-l3-abc1, area 0.0.0.0
解決方案:在L3Out上定期匹配OSPF區域型別,或從外部裝置開始匹配。
OSPF鄰接故障排除:路由器ID重複
OSPF鄰接故障排除:路由器ID重複重複的路由器ID會阻止OSPF鄰接關係的形成。在ACI交換矩陣中,配置OSPF路由器ID後,枝葉使用路由器ID IP地址建立環回。由於此地址用於環回,因此當它發生故障時,不能使其與使用的介面IP重疊。
在本示例中,您可以確認鄰居裝置的路由器ID配置錯誤。
從ACI GUI導航至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Configured Nodes > topology/pod-Y/node-X。
來自鄰居裝置的路由器ID配置錯誤。
從邊界枝葉:
[+] Check OSPF interfaces associated with the VRF
BL-301# show ip int bri vrf abc1:vrf-1
IP Interface Status for VRF "abc1:vrf-1"(137)
Interface Address Interface Status
vlan1 192.0.2.1/24 protocol-up/link-up/admin-up
lo9 172.16.0.1/32 protocol-up/link-up/admin-up
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 48
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
從外部裝置
NX-OS# show logging log | tail -n 100 | grep ospf-bootcamp
2024 Jan 4 13:55:36 NX-OS %OSPF-4-DUPRID: ospf-bootcamp [22263] (301-l3-abc1) Router 192.0.2.1 on interface Ethernet1/2.1120 is using our routerid, packet dropped
解決方案:在兩個裝置上使用不同的路由器ID。
在兩個裝置上使用不同的路由器ID
OSPF鄰接故障排除:MTU不匹配
OSPF鄰接故障排除:MTU不匹配在兩個OSPF相鄰路由器建立雙向通訊並完成指定路由器(DR)/BDR選擇(在廣播網路中)後,路由器會轉換到Exstart狀態。在此狀態下,相鄰路由器建立活動/備用關係,並確定交換DBD資料包時使用的初始資料庫描述符(DBD)序列號。
一旦協商active/standby關係(具有最高路由器ID的路由器變為active),相鄰路由器將轉換為交換狀態。在此狀態下,路由器交換DBD資料包,這些資料包描述其整個鏈路狀態資料庫。路由器還會傳送鏈路狀態請求資料包,這些資料包從鄰居請求最新的鏈路狀態通告(LSA)。
如果相鄰路由器介面的MTU設定不匹配,則路由器會停滯在Exstart/Exchange狀態。這是因為具有較高MTU的路由器會傳送一個大於在相鄰路由器上設定的MTU的封包,因此相鄰路由器會忽略該封包。
從採用預設繼承配置的APIC GUI配置,導航至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile。
預設情況下,ACI交換矩陣將第3層介面MTU設定為9000而不是1500
預設情況下,ACI交換矩陣將第3層介面MTU設定為9000而不是1500。由於ACI具有更高的MTU,因此它會繼續接受來自外部路由器的DBD資料包,並嘗試確認這些資料包。
如果外部路由器具有較低或較高的MTU,它將忽略DBD資料包以及來自ACI的ACK,繼續重新傳輸初始DBD資料包,並保持Exstart/Exchange狀態。
從邊界枝葉:
[+]From the border Leaf we can identify the state of the neighborship relation
BL-301# show ip ospf neighbors vrf abc1:vrf-1
OSPF Process ID default VRF abc1:vrf-1
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
172.16.0.1 1 EXCHANGE/ - 01:10:05 192.0.2.50 Vlan1
[+] You can check the associated faults to the Tenant:VRF / OSPF interface
BL-301# moquery -c faultInst -x 'query-target-filter=wcard(faultInst.dn,"abc1:vrf-1\/if-\[vlan1\]")' | egrep "code|rule|dn|descr|lastTransition"
code : F1385
descr : OSPF adjacency is not full, current state Exchange
dn : topology/pod-1/node-301/sys/ospf/inst-default/dom-abc1:vrf-1/if-[vlan1]/adj-172.16.0.1/fault-F1385
lastTransition : 2023-12-28T12:26:23.369-05:00
rule : ospf-adj-ep-failed
title : OSPF Adjacency Down
code : F3592
descr : OSPF interface vlan1 mtu is different than neighbor mtu
dn : topology/pod-1/node-301/sys/ospf/inst-default/dom-abc1:vrf-1/if-[vlan1]/fault-F3592
lastTransition : 2023-12-28T12:26:23.369-05:00
rule : ospf-if-mtu-config-mismatch-err
[+] Identify the MTU applied on the OSPF interface
BL-301# show int vlan 1 | egrep "MTU"
MTU 9000 bytes, BW 10000000 Kbit, DLY 1 usec
[+] If the default configuration is on place there will be a missmatch with the 1500 default
BL-301# show ip ospf event-history adjacency | grep "neighbor mtu"
2023-12-28T12:24:31.986149000-05:00 ospf default [20751]: TID 21885:ospfv2_check_ddesc_for_nbr_state:492:(abc1:vrf-1-base) DBD from 192.0.2.50,neighbor mtu [1500] is smaller than if mtu 9000
[+] Or if the locally configured MTU is lower tham external router
[2023-12-28T14:05:48.495659000-05:00:T:ospfv2_check_ddesc_for_nbr_state:478] abc1:vrf-1DBD from 192.0.2.50,neighbor mtu [1500] is large than if mtu 1200
可能的解決方案:
- 匹配兩台裝置上的MTU
當任一端的MTU發生變更時,由於已建立成員資格,因此直到下次交涉時才會變更,而且可以因為多種原因觸發。 例如,關閉物理介面、策略重新部署、枝葉重新載入、升級等。
導覽至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile ,如下圖所示。
MTU配置為1500
- 關聯OSPF介面策略中的MTU忽略將重新建立連線。
當OSPF資料庫成長時可能出現MTU忽略問題。當MTU只差幾個位元組時,設定會持續很長時間,直到您偶然發現生成DBD的LSA的正確組合或更新大小正好合適的資料包為止。
小型實驗室中的測試工作正常,但生產網路可能會遇到意外行為。
導覽至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile > Associated OSPF Interface Policy ,如下圖所示。
MTU忽略配置
排除OSPF鄰接故障:身份驗證不匹配
排除OSPF鄰接故障:身份驗證不匹配您可以在OSPF中啟用身份驗證,以便安全地交換路由更新資訊。OSPF身份驗證可以是none(或null)、simple或MD5。身份驗證方法「none」表示OSPF不使用身份驗證,並且是預設方法。使用簡單驗證時,密碼會在網路上以明文顯示。使用MD5驗證時,密碼不會透過網路傳遞。
以下是OSPF支援的三種不同型別的身份驗證。
空身份驗證—也稱為型別0,意味著資料包報頭中不包含身份驗證資訊。這是預設值。
簡單驗證—也稱為型別1,它使用簡單的明文密碼。
MD5身份驗證-也稱為型別2,它使用MD5加密密碼。
不需要設定驗證。但是,如果已設定,則同一網段上的所有對等路由器必須具有相同的密碼和身份驗證方法。
在ACI GUI中,導航至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile ,如圖所示。
已配置MD5或簡單身份驗證
在 CLI 上:
[+] Check Authentication type configured
APIC# moquery -c ospfIfP -x 'query-target-filter=wcard(ospfIfP.dn,"tn-abc1\/out-Site2-L3Out-OSPF-BL-301")' | grep authType
authType : simple
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Backbone Area, Authentication Type: simple (1)
Simple text password: cisco
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
or
[+] Check Authentication type configured
APIC# moquery -c ospfIfP -x 'query-target-filter=wcard(ospfIfP.dn,"tn-abc1\/out-Site2-L3Out-OSPF-BL-301")' | grep authType
authType : md5
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Backbone Area, Authentication Type: MD5 (2)
Key-ID: 1, Auth-Length: 16, Crypto Sequence Number: 0x026c0a34
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 48
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
[+] Live OSPF trace Decode for VRF
BL-301# log_trace_bl_print_tool /var/sysmgr/tmp_logs/ospfv2_1_trace.bl | tail -n 250 | grep abc1:vrf-1 | grep key
[2024-01-04T16:23:29.650806000-05:00:T:ospfv2_set_authentication:70] abc1:vrf-1out pkt on Vlan1: auth simple text: key cisco
or
[2024-01-04T16:24:22.794682000-05:00:T:ospfv2_set_authentication:96] abc1:vrf-1out pkt on Vlan1: auth md5: key cisco, key id 1 Seq 40635829 (time 1704403462)
從外部裝置:
NX-OS# show logging log | tail -n 100 | grep ospf-bootcamp
2024 Jan 4 16:55:01 NX-OS %OSPF-4-AUTH_ERR: ospf-bootcamp [22263] (301-l3-abc1) Received packet from 192.0.2.1 on Ethernet1/2.1120 with bad authentication 1
or
2024 Jan 4 16:55:20 NX-OS %OSPF-4-AUTH_ERR: ospf-bootcamp [22263] (301-l3-abc1) Received packet from 192.0.2.1 on Ethernet1/2.1120 with bad authentication 2
解決方案:匹配身份驗證。
排除OSPF鄰接故障:Hello/Dead計時器不匹配
排除OSPF鄰接故障:Hello/Dead計時器不匹配OSPF Hello資料包是OSPF進程向其OSPF鄰居傳送的資料包,用於維護與這些鄰居的連線。Hello資料包以可配置的間隔(以秒為單位)傳送。乙太網鏈路的預設值為10秒(對於P2P和廣播網路型別)。Hello資料包包括已在dead間隔內收到hello資料包的所有鄰居的清單。dead間隔也可以配置(以秒為單位),預設為hello間隔值的四倍。網路中所有hello間隔的值必須相同。同樣,網路中所有dead間隔的值必須相同。
這兩個時間間隔共同作用,用於透過指示鏈路運行來保持連線。如果路由器在dead間隔內未收到來自鄰居的hello資料包,則會宣告該鄰居已關閉。
如果在ACI交換矩陣上修改了預設OSPF Hello和Dead計時器,它們必須與外部路由器匹配。
在ACI GUI中,導航至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile > Associated OSPF Interface Policy ,如圖所示。
自訂Hello/Dead計時器
從邊界枝葉:
[+] Check OSPF interface configuration
BL-301# show ip ospf interface vlan 1 | egrep "Timer|Network"
State P2P, Network type P2P, cost 4
Timer intervals: Hello 20, Dead 42, Wait 42, Retransmit 5
Or
BL-301# moquery -c ospfIf -x 'query-target-filter=wcard(ospfIf.id,"vlan1")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 42
helloIntvl : 20
nwT : p2p
Or
APIC# moquery -c ospfRsIfPol -x 'query-target-filter=wcard(ospfIfP.dn,"abc1\/out-Site2-L3Out-OSPF-BL-301")' | grep tnOspfIfPolName
tnOspfIfPolName : Custom_OSPF_Interface_Policy
APIC# moquery -c ospfIfPol -x 'query-target-filter=wcard(ospfIfPol.name,"Custom_OSPF_Interface_Policy")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 42
helloIntvl : 20
nwT : p2p
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 192.168.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 20s, Dead Timer 42s, Mask 255.255.255.0, Priority 1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
從外部裝置:
[+] Check OSPF interfaces con vrf
NX-OS# show ip int bri vrf 301-l3-abc1
IP Interface Status for VRF "301-l3-abc1"(21)
Interface IP Address Interface Status
Lo1001 110.1.0.1 protocol-up/link-up/admin-up
Eth1/2.1120 192.0.2.50 protocol-up/link-up/admin-up
[+] Check OSPF configuration by default Dead timer on NX-OS devices is 4 times hello interval
NX-OS# show run ospf all | section Ethernet1/2.1120 | grep hello
ip ospf hello-interval 10
[+] Check OSPF interface advertized parameters
NX-OS# show ip ospf interface Ethernet1/2.1120 | grep Timer
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
解決方案:匹配OSPF計時器。
排除OSPF鄰接故障:介面型別不匹配
排除OSPF鄰接故障:介面型別不匹配本部分介紹在ACI上配置廣播或未指定且外部裝置為P2P時的故障排除。
廣播
廣播- 廣播網路型別是啟用了OSPF的乙太網介面的預設型別
- 廣播網路型別要求鏈路支援第2層廣播功能
- 廣播網路型別具有10秒Hello和40秒Dead計時器(與P2P相同)
- OSPF廣播網路型別需要使用DR/BDR。
點對點
點對點- P2P OSPF網路型別不維護DR/BDR關係
- P2P網路型別具有10秒Hello和40秒Dead計時器
- P2P網路型別旨在用於兩個直連路由器之間
在ACI GUI中,導航至Fabric > Tenants > Networking > L3Outs > "L3outName" > "Node-X" > Logical Interface Profiles > OSPF Interface Profile > Associated OSPF Interface Policy ,如圖所示。
已配置廣播或未指定的網路型別
從邊界枝葉:
[+] Check OSPF neighborship relation
BL-301# show ip ospf neighbors vrf abc1:vrf-1
OSPF Process ID default VRF abc1:vrf-1
Total number of neighbors: 1
Neighbor ID Pri State Up Time Address Interface
172.16.0.1 1 INITIALIZING/DROTHER 00:06:42 192.0.2.50 Vlan1
[+] Check OSPF interface configuration
BL-301# moquery -c ospfIf -x 'query-target-filter=wcard(ospfIf.id,"vlan1")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 40
helloIntvl : 10
nwT : bcast
or
BL-301# moquery -c ospfIf -x 'query-target-filter=wcard(ospfIf.id,"vlan1")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 40
helloIntvl : 10
nwT : unspecified
Or
APIC# moquery -c ospfRsIfPol -x 'query-target-filter=wcard(ospfIfP.dn,"abc1\/out-Site2-L3Out-OSPF-BL-301")' | grep tnOspfIfPolName
tnOspfIfPolName : Custom_OSPF_Interface_Policy
APIC# moquery -c ospfIfPol -x 'query-target-filter=wcard(ospfIfPol.name,"Custom_OSPF_Interface_Policy")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 40
helloIntvl : 10
nwT : bcast
APIC# moquery -c ospfIfPol -x 'query-target-filter=wcard(ospfIfPol.name,"Custom_OSPF_Interface_Policy")' | egrep "deadIntvl|helloIntvl|nwT"
deadIntvl : 40
helloIntvl : 10
nwT : unspecified
[+] Whether it is bcast or unspecified the interface will show as Broadcast
BL-301# show ip ospf interface vlan 1 | egrep "Timer|Network"
State DR, Network type BROADCAST, cost 4
Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
[+] Capture a single packet TCPDUMP for local BL OSPF IP
BL-301# tcpdump src host 192.0.2.1 -vv -e -i kpm_inb -c 1
192.0.2.1 > ospf-all.mcast.net: OSPFv2, Hello, length 48
Router-ID 192.168.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
Designated Router 192.0.2.1
Neighbor List:
172.16.0.1
[+] Capture a single OSPF hello packet using TCPDUMP coming from external device OSPF IP
BL-301# tcpdump src host 192.0.2.50 -vv -e -i kpm_inb -c 1
192.0.2.50 > ospf-all.mcast.net: OSPFv2, Hello, length 44
Router-ID 172.16.0.1, Backbone Area, Authentication Type: none (0)
Options [External]
Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.0, Priority 1
從外部裝置:
[+] Check OSPF interfaces con vrf
NX-OS# show ip int bri vrf 301-l3-abc1
IP Interface Status for VRF "301-l3-abc1"(21)
Interface IP Address Interface Status
Lo1001 110.1.0.1 protocol-up/link-up/admin-up
Eth1/2.1120 192.0.2.50 protocol-up/link-up/admin-up
[+] Check OSPF configuration by default Dead timer on NX-OS devices is 4 times hello interval
NX-OS# show run ospf all | section Ethernet1/2 | grep network
ip ospf network point-to-point
[+] Check OSPF interface advertized parameters
NX-OS# show ip ospf interface Ethernet1/2 | grep type
State P2P, Network type P2P, cost 1
驗證命令檢查表
驗證命令檢查表本文檔中引用了這些命令來排除不同情況的故障。
| 節點 |
命令 |
目的 |
| ACI交換機 |
|
檢查VRF上的鄰居關係 |
|
|
檢查與VRF關聯的OSPF介面 |
|
|
|
您可以檢查VRF的相關故障 |
|
|
|
檢查與VRF關聯的所有OSPF介面詳細資訊 |
|
|
|
檢查OSPF介面配置 |
|
|
|
從與介面關聯的ARP檢查應用於外部裝置的IP |
|
|
|
VRF的即時OSPF跟蹤解碼 |
|
|
|
捕獲要在Wireshark上分析的OSPF流量 |
|
|
|
捕獲HOST的特定流量以便在Wireshark上分析 |
|
|
|
捕獲HOST的SRC和DST特定流量,以便在Wireshark上分析 |
|
|
|
為和特定主機捕獲單個帶內控制平面 |
|
| ACI APIC |
|
檢查配置的身份驗證型別 |
|
|
檢查L3out路徑配置 |
|
|
|
檢查故障F1385 protocol-ospf-adjacency-down的歷史記錄 |
|
|
|
檢查L3out以獲取自定義關聯OSPF介面策略 |
|
|
|
檢查自定義關聯OSPF介面策略詳細資訊 |
|
| NXOS交換機 |
|
檢查OSPF介面con vrf |
|
|
檢查OSPF配置 |
|
|
|
檢查OSPF介面通告引數 |
相關資訊
相關資訊 修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
15-May-2024
|
初始版本 |
意見